Skip to Content
0
Former Member
Nov 12, 2013 at 02:59 AM

PPM Security Advice Needed

439 Views

Hi PPM Security Experts,

I was hoping you can provide some guidance with an issue I'm having.

Here's my situation:

> Business requirement is to have the following roles:

- Create/change portfolio initiatives, items & reviews (segregated into 3 roles for each portfolio object)

- Display portfolio initiatives & items (all initiatives, items & reviews - again, segregated into 3 roles for each portfolio object).

> Current solution:

- Have built the create/change roles with auth. object ACO_SUPER (admin/write/read)

- Have built the display roles with auth. object ACO_SUPER (read)

> Problem

- I am finding that my back-end PFCG roles are overridden by the front end 'miscellaneous' authorizations tab when users assign permissions to portfolio objects manually (i.e. assigning admin access to a portfolio initiative to a user, even though that same user only has display access in his/her back-end roles).

Based on some discussions that I've read, it has been suggested not using the ACO_SUPER object. Therefore, I am wondering what object(s) I can use instead to meet the business requirement above? Can someone perhaps provide me with an example or two of I can achieve this? Or do you guys think that the usage of ACO_SUPER would meet my requirements?

Your help would be greatly appreciated! Even some minor guidance would be great!

Warm regards,

Jerry